From f5f85666c80a92e2552769476935a46bc4644ccb Mon Sep 17 00:00:00 2001
From: Michael Tipton <36353334+CastawayEGR@users.noreply.github.com>
Date: Wed, 24 Apr 2024 15:44:31 -0400
Subject: Add ability to set SameSite policy for userLoggedIn cookie (#15100)

* Add ability to set SameSite policy for userLoggedIn cookie

* reformat line for linter
---
 awx/api/generics.py      | 4 +++-
 awx/settings/defaults.py | 3 +++
 awx/sso/views.py         | 4 +++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/awx/api/generics.py b/awx/api/generics.py
index 7c7fda877e..c51470c1a4 100644
--- a/awx/api/generics.py
+++ b/awx/api/generics.py
@@ -95,7 +95,9 @@ class LoggedLoginView(auth_views.LoginView):
         ret = super(LoggedLoginView, self).post(request, *args, **kwargs)
         if request.user.is_authenticated:
             logger.info(smart_str(u"User {} logged in from {}".format(self.request.user.username, request.META.get('REMOTE_ADDR', None))))
-            ret.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
+            ret.set_cookie(
+                'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')
+            )
             ret.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
 
             return ret
diff --git a/awx/settings/defaults.py b/awx/settings/defaults.py
index 751e419730..c927086354 100644
--- a/awx/settings/defaults.py
+++ b/awx/settings/defaults.py
@@ -277,6 +277,9 @@ SESSION_COOKIE_SECURE = True
 # Note: This setting may be overridden by database settings.
 SESSION_COOKIE_AGE = 1800
 
+# Option to change userLoggedIn cookie SameSite policy.
+USER_COOKIE_SAMESITE = 'Lax'
+
 # Name of the cookie that contains the session information.
 # Note: Changing this value may require changes to any clients.
 SESSION_COOKIE_NAME = 'awx_sessionid'
diff --git a/awx/sso/views.py b/awx/sso/views.py
index c23ee4428a..b6fd724df7 100644
--- a/awx/sso/views.py
+++ b/awx/sso/views.py
@@ -38,7 +38,9 @@ class CompleteView(BaseRedirectView):
         response = super(CompleteView, self).dispatch(request, *args, **kwargs)
         if self.request.user and self.request.user.is_authenticated:
             logger.info(smart_str(u"User {} logged in".format(self.request.user.username)))
-            response.set_cookie('userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False))
+            response.set_cookie(
+                'userLoggedIn', 'true', secure=getattr(settings, 'SESSION_COOKIE_SECURE', False), samesite=getattr(settings, 'USER_COOKIE_SAMESITE', 'Lax')
+            )
             response.setdefault('X-API-Session-Cookie-Name', getattr(settings, 'SESSION_COOKIE_NAME', 'awx_sessionid'))
         return response
 
-- 
cgit v1.2.3